By: Mick Douglas (@bettersafetynet)
The client looked at us from across the table, grimacing as they gulped the foul coffee (sure it’s awful, but hey it’s a free perk!). They leaned in and said conspiratorially “So can you… umm… sort of… help us get the inside scoop on how we can pass this pentest?”
I pause and close my eyes for a second. I’ve heard pleas like this throughout my career. If you’re a veteran pentester, no doubt you have too. And what I always think… no matter how large or small the client… Nobody passes pentests! It’s their turn to suffer under our boot as we hijack the network and have shells fall down on us like rain. Nobody… nobody passes a pentest. There’s always a way in. Once we’re in, we make their worst nightmares come alive right under their own nose! No, pentests aren’t for passing. They’re to be endured.
Strong though the predatory instinct is, I must push it aside. The “pop ’em all” approach — while immensely fun — is not the way of the true pentester. All too often InfoSec practitioners focus on the technical aspect of the pentest. If you’re reading this site, chances are good you’re a techie… not a suit. So unless fate has given you a tour of duty on the other side of the table, you have no idea what hell you’re about to bring to someone who’d rather be doing anything else than deal with you — the pentester. Things are about to get ugly, and your shell count has nothing to do with it. You are about to turn their world upside down in ways you cannot begin to fathom.
It doesn’t matter if you’re internal, external, a consultant… whatever… you are the enemy.. and not in the way you think. Sure, you’re the “enemy” as The Almighty Red Team here to cause mayhem and pop boxes. However, what you might not realize is that the havoc is just getting started once you leave the engagement. Next to nobody will remember the pivots, the recon, or the OSINT you did. None of that really matters… What they will remember is that “Jake the InfoSec Guy” failed at his job — miserably. But wait there’s more! Not only did he fail, but someone — who doesn’t know our systems — was able to use freely available tools from the internet to compromise our entire network!! To make matters worse, it was done in under a week!! It’s a safe bet that soon the client will look at the budget spent on firewalls, AV, IDS, even the salaries — everything — and think “All this spending… for what? They brushed aside our best efforts as if they were nothing more than cobwebs!”
If all your client gets out of your pentest is that they’ve got a crappy infosec program, then know what? You’re a crappy pentester.
You may hate to hear this, but you *owe* your client.
You need to give them a complete assessment which checks for multiple paths to the victory conditions.
You need to give them reports which are understandable, actionable, and brief.
You need to teach them what you did so they can re-test for themselves.
You have to show what’s wrong, but also give them multiple options on how to fix, remediate, or compensate for the findings.
You need to offer “quick win” fixes so the infosec program can start rebuilding their credibility after you clipped their wings.
You need to give them suggestions on how to alter business operations to better avoid risks altogether.
You need to give them a road map on how to get better tomorrow… and the next day after.
You need to give and give.
Most of all, you need to give them hope.
About the Author:
Mick Douglas (twitter.com/bettersafetynet) does R&D, PenTesting, and profesional services for Diebold Inc. When he’s not doing tech stuff, he’s off in the woods somewhere hiking or trying — mostly in vain — to improve his photography chops.
Thanks to Mick for contributing. I think he’s right on with what we need to do as penetration testers. — Brent Huston